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Abstract. Stochastic branching processes are a classical model for de- 
scribing random trees, which have applications in numerous fields includ- 
ing biology, physics, and natural language processing. In particular, they 
have recently been proposed to describe parallel programs with stochas- 
tic process creation. In this paper, we consider the problem of model 
checking stochastic branching process. Given a branching process and a 
deterministic parity tree automaton, we are interested in computing the 
probability that the generated random tree is accepted by the automa- 
ton. We show that this probability can be compared with any rational 
number in PSPACE, and with and 1 in polynomial time. In a sec- 
ond part, we suggest a tree extension of the logic PCTL, and develop 
a PSPACE algorithm for model checking a branching process against a 
formula of this logic. We also show that the qualitative fragment of this 
logic can be model checked in polynomial time. 



1 Introduction 

Consider an interactive program featuring two types of threads: interrupt- 
ible threads (type I) and blocking threads (type B) which perform a non- 
interruptible computation or database transaction. An /-thread responds to user 
commands which occasionally trigger the creation of a B-thread. A _B-thread 
may either terminate, or continue, or spawn another _B-thread in an effort to 
perform its tasks in parallel. Under probabilistic assumptions on the thread 
behaviour, this scenario can be modelled as a stochastic branching process as 
follows: 



This means, e.g., that a single step of an /-thread spawns a B-thread with prob- 
ability 0.1. We have modelled the termination of a B-thread as a transformation 
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(a) A prefix of a tree that the (b) A finite tree over {/, B, D}. 

example process might create. 

Fig. 1. Figures for Section [t] (left) and [2] (right) 

into a "dead" state A "run" of this process unravels an infinite tree whose 
branches record the computation of a thread and its ancestors. For example, 



Figure 1(a) shows the prefix of a tree that the example process might create. 
The probability of creating this tree prefix is the product of the probabilities of 
the applied rules, i.e., 0.1 • 0.9 • 0.1 ■ 0.3 • 0.5 • 0.2. 

This example is an instance of a (stochastic multitype) branching process, 
which is a classical mathematical model with applications in numerous fields in- 
cluding biology, physics and natural language processing, see e.g. |HI2j . In [12] 
an extension of branching processes was introduced to model parallel programs 
with stochastic process creation. The broad applicability of branching processes 
arises from their simplicity: each type models a class of threads (or tasks, ani- 
mals, infections, molecules, grammatical structures) with the same probabilistic 
behaviour. 

This paper is about model checking the random trees created by branching 
processes. Consider a specification that requires a linear-time property to hold 
along all tree branches. In the example above, e.g., we may specify that "no 
process should become forever blocking" , more formally, "on all branches of the 
tree we see infinitely many / or D" . We would like to compute the probability 
that all branches satisfy such a given w-regular word property. Curiously, this 
problem generalises two seemingly very different classical problems: 

p 

(i) If all rules in the branching process are of the form X Y, i.e., each node 
has exactly one child, the branching process describes a finite-state Markov 
chain. Computing the probability that a run of such a Markov chain satisfies 
an w-regular property is a standard problem in probabilistic verification, see 
e.g. piTB] . 

(ii) If for each type X in the branching process there is only one rule X 

a (where a is a nonempty sequence of types), then the branching process 
describes a unique infinite tree. Viewing the types in a as possible successor 



We disallow "terminating" rules like B e. This is in contrast to classical branch- 
ing processes, but technically more convenient for model checking, where absence of 
deadlocked states is customarily assumed. 
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states of X in a finite nondeterministic transition system, the branches in the 
created tree are exactly the possible runs in the finite transition systems. Of 
course, checking if all runs in such a transition system satisfy an w-regular 
specification is also a well-understood problem. 

One could expect that well-known Markov-chain based techniques for dealing 
with problem (i) can be generalised to branching processes. This is not the case: 
it follows from our results that in the example above, the probability that all 
branches satisfy the mentioned property is Ojj however, if the numbers 0.2 and 
0.3 in (flj are swapped, the probability changes from to 1. This is in sharp 
contrast to finite-state Markov chains, where qualitative properties (satisfaction 
with probability resp. 1) do not depend on the exact probability of individual 
transitions. 

The rules of a branching process are reminiscent of the rules of probabilis- 
tic pushdown automata (pPDA) or the equivalent model of recursive Markov 
chains (RMCs). However, the mo del- checking algorithms for both linear-time 
and branching-time logics proposed for RMCs and pPDAs 09 10 do not work 
for branching processes, essentially because pPDA and RMCs specify Markov 
chains, whereas branching processes specify random trees. Branching processes 
cannot be transformed to pPDAs, at least not in a straightforward way. Note 
that if the rules in the example above are understood as pPDA rules with / as 
starting symbol, then B will never even occur as the topmost symbol. 

To model check branching processes, we must leave the realm of Markov 
chains and consider the probability space in terms of tree prefixes [1112] . Con- 
sequently, we develop algorithms that are very different from the ones dealing 
with the special cases (i) and (ii) above. Nevertheless, for qualitative problems 
(satisfaction with probability resp. 1) our algorithms also run in polynomial 
time with respect to the input models, even for branching processes that do not 
conform to the special cases (i) and (ii) above. 

Instead of requiring a linear-time property to hold on all branches, we con- 
sider more general specifications in terms of deterministic parity tree automata. 
In a nutshell, our model-checking algorithms work as follows: (1) compute the 
"product" of the input branching process and the tree automaton; (2) reduce the 
analysis of the resulting product process to the problem of computing the proba- 
bility that all branches reach a "good" symbol; (3) compute the latter probability 
by setting up and solving a nonlinear equation system. Step (1) can be seen as 
an instance of the automata-theoretic model-checking approach. The equation 
systems of step (3) are of the form x = f(x), where a; is a vector of variables, and 
f(x) is a vector of polynomials with nonnegative coefficients. Solutions to such 
equation systems can be computed or approximated efficiently [91618] . Step (2) 
is, from a technical point of view, the main contribution of the paper; it requires 
a delicate and nontrivial analysis of the behaviour of branching processes. 

In Section 0] we also consider logic specifications. We propose a new logic, 
PTTL, which relates to branching processes in the same manner as the logic 

2 Intuitively, this is because a B-thread more often clones itself than dies. 
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PCTL relates to Markov chains. Recall that PCTL contains formulae such as 
[<fil)ip]>p which specifies that the probability of runs satisfying <fr\Ji/j is at least p. 
For PTTL we replace the linear-time subformulae such as 4>Utp with tree subfor- 
mulae such as tfiEUip or (f>AUi/j, so that, e.g., [0EUV>]> P specifies that the prob- 
ability of trees that have a branch satisfying 0UV> is at least p, and [<fiA\Jip}> p 
specifies that the probability of trees all whose branches satisfy <fi(Jip is at least p. 
We show that branching processes can be model checked against this logic in 
PSPACE, and against its qualitative fragment in polynomial time. 

Related work. The rich literature on branching processes (see e.g. [1112] and 
the references therein) does not consider mo del- checking problems. Probabilistic 
split-join systems |12j are branching processes with additional features for pro- 
cess synchronisation and communication. The paper |12) focuses on performance 
measures (such as runtime, space and work), and does not provide a functional 
analysis. The models of pPDAs and RMCs also feature dynamic task creation 
by means of procedure calls, however, as discussed above, the existing model- 
checking algorithms |7I9I10] do not work for branching processes. Several recent 
works 9 6 8 have studied the exact and approximative solution of fixed-point 
equations of the above mentioned form. Our work connects these algorithms 
with the model-checking problem for branching processes. 

Organisation of the paper. After some preliminaries (Section [2]), we present our 
results on parity specifications in Section[3] In Section|4]we propose the new logic 
PTTL and develop mo del- checking algorithms for it. We conclude in Section [SJ 
Some proofs have been moved to an appendix. 

2 Preliminaries 

We let N and No denote the set of positive and nonnegative integers, respectively. 
Given a finite set r, we write r* :— IJfcgNo f° r the set of tuples and r + := 
UfceN -T k for the set of nonempty tuples over r. 

Definition 1 (Branching process). A branching process is a tuple A = 
(r, <—t, Prob) where r is a finite set of types, <^-> C r x r + is a finite set of 
transition rules, Prob is a function assigning positive probabilities to transition 
rules so that for every X G r we have that )^ Prob{X <—} a) = 1. 

We write X a if Prob(X a) = p. Observe that since the set of transition 
rules is finite, there is a global upper bound Ka such that \a\ < Ka for all 
X^a. 

A tree is a nonempty prefix-closed language VCN* for which there exists a 
function (3y '■ V — > No such that for all w £ V and k G N, wk G V if and only 
if k < f3v(w). Pv(w) is called the branching degree of w in V . We denote by Bf 
the set of finite trees, and by E>i the set of infinite trees without leaves (i.e. trees 
such that (3v{w) > for all w G V). A prefix of V is a tree V C V such that 
for aU w G V, 0v'(w) G {0,f3 v {w)}. 
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A tree over r is a pair (V, £) where V is a tree, and £ : V — > r is a labelling 
function on the nodes. Given a tree t = (V, £) with a node u £ V, we write 
t u = (V u ,£ u ) for the subtree of t rooted at u; here V u = {w G N* | uw G and 
(u{w) — £(uw) for 10 G K u . A tree (V',£') is a prefix of (V,£) if V' is a prefix of 
V and £'(w) = £(w) for all w G V . 

A pat/i (resp. branch) in a tree i = (V, £) is a finite (resp. infinite) sequence 
Mo, U\, . . . with m G such that uq = e is the root oft, and tij+i = u^fci for fcj G N 
is a child of Ui. A branch label of i is a sequence £(uq),£(ui), . . ., where uq, u\, . . . 
is a branch. The successor word of a node u> G V is t7t(u>) = £(wl) . . . £(w/3v(w)). 

Given a tree t — (V, £) over r and a subset W C F, we write £ |= AFW 
if all its branches go through W, i.e., for all v G V there is a id G W such 
that u is a predecessor of w or vice versa. If A C i -1 , we write t |= AFyl for 
f |= AF{u> G V | £(w) G yl}. Similarly, we write t \= AG A if £{w) G yl for all 
w EV. 



Example 2. We illustrate these notions. Figure 1(b) shows a finite tree 
t = (V,£) G B f over r with T = {J, B, D} and V = 
{e, 1, 11, 111, 112, 2, 21, 211, 22, 221} and, e.g., £(s) = I and £(112) = B. We have 
Pv{e) = 2 and /3y(21) = 1 and /3y(211) = 0. The node 2 is a predecessor of 211. 
The tree t' = (V, f ) with V = {e, 1, 2, 21, 22} and £' being the restriction of £ 
on V is a prefix of t. The sequence e, 2, 21 is a path in t. We have cr t (ll) = IB. 
The tree satisfies t |= AF{1, 21, 221} and t \= AF{I}. 

A tree t = (V, £) over r is generated by a branching process A = (r, <—t, Prob) 
if for every w G V with /3y(w) > we have £(w) ^ o- t (w). We write <\A\) and [Z\] 
for the sets of trees (V,£) generated by A with V £ Bf and V £ Bi, respectively. 
For any X G r, <\A\) X C (|Z\D and [Z\] x C [zi] contain those trees (V,!) for 
which £(e) = X. 

Definition 3 (Probability space of trees, cf. [11, Chap. VI]). Let A = 

(r,^, Prob) be a branching process. For any finite tree t = (V,£) G (\A), 
let the cylinder over t be Cyl A {t) := {t' G fAJ \ t is a prefix oft'}, and 
define p A (t) := U. weV: 8 v ( w ) >0 Prob(£(w), a t (w)). For each X G r we d 



e- 



fine a probability space (fAJx , ^x,P^x) , where Ex is the a-algebra generated 
by {Cyl^(t) | t G dZ\|)x}; and Pix is the probability measure generated by 
Pvx{Cyl A {t)) = PA{t). Sometimes we write Pr^ to indicate A. We may drop the 
subscript of Pix if X is understood. We often write tx to mean a tree t G [AJx 
randomly sampled according to the probability space above. 

Example 4- Let A = (r, c — ^, Prob) be the branching process with _T = {J, B, D} 



and the rules as given in (JXJ) on pagc[TJ The tree t from Figure 1(b) is generated 
by A: we have t G We have T>Ti(Cyl A (t)) =PA(t) = 0.1-0.9-0. 1-0. 3-0. 5-0. 2; 
this is probability of those trees t' G fAjj that have prefix t. 

We say that a quantity q G [0, 1] is PPS-expressible if one can compute, in 
polynomial time, an integer m G N and a fixed-point equation system x = f(x), 
where a; is a vector of m variables, / is a vector of m multivariate polynomials 
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over x with nonnegative rational coefficients, /(l) < 1 where 1 denotes the 
vector (1, . . . , 1), and q is the first component of the least nonnegative solution 
y G [0,oo) m of x = /(as). 

Proposition 5. Lei q be PPS- expressible. We have: 

(a) For t G {0, 1} one can decide in (strongly) polynomial time whether q = r. 

(b) For t G Q one can decide in polynomial space whether q M t, where IX G 

{<,>,<,>,=> 7^}- 

(cj One can approximate q within additive error 2~ J in time polynomial in both j 
and the (binary) representation size of f . 

Part (a) follows from |9l5j . Part (b) is shown in [5J section 4] by appealing to 
the existential fragment of the first-order theory of the reals, which is decidable 
in PSPACE, see (31 13] . Part (c) follows from a recent result Corollary 4.5]. The 
following proposition follows from a classical result on branching processes [TT] . 

Proposition 6. Let A = (P, <—}■, Prob) be a branching process. Let X G r and 
ACT. Then Pr[t x \= AFA] is PPS- expressible. 

3 Parity Specifications 

In this section we show how to compute the probability of those trees that satisfy 
a given parity specification. 

A (top-down) deterministic (amorphous) parity tree automaton (DPTA) is a 
tuple A — (Q, r, qo, S, c), where Q is the finite set of states, go G Q is the initial 
state, (5:QxrxN->Q*is the transition function satisfying \S(q, X,n)\ = n 
for all g,A, n, and c : Q — > N is a colouring function. Such an automaton A 
maps a tree t = (V,£) over r to the (unique) tree A(t) = (V,£') over Q such 
that £(s) = qo and for all w £ V, aA{t){w) = S(£'(w),£(w), f3y{w)). 

Automaton A — (Q, _T, go,<5, c) accepts a tree t over _T if for all branch la- 
bels qoqi ■ ■ ■ G Q u of A(t) the highest colour that occurs infinitely often in 
c(g ),c(gi),... is even. 

Example 7. Recall (e.g., from |14j ) that any w-regular word property (e.g., any 
LTL specification) can be translated into a deterministic parity word automaton. 
Such an automaton, in turn, can be easily translated into a DPTA which specifies 
that the labels of all branches satisfy the w-regular word property. We do not 
spell out the translation, but let us note that in the resulting tree automaton, 
for all (q, X) G Q x r there is q' G Q such that 5(q, X, k) = (q', . . . , q') for all k. 

Given a colouring function c : r — > N, a tree ( V, £) over r is called good for c 
if for each branch Uq, tti, • • ■ the largest number that occurs infinitely often in the 
sequence c{£(uq)) , c(£(ui)) , ... is even. The following proposition is immediate. 

Proposition 8. Let A = (P, Prob) be a branching process, and let A = 
(Q, r, qo, S, c) 6e a DPTA. Define the product of A and A as the branching 

process A. = (P x Q, ^.,Prob.) with (X, q) -4. (Yi, qi) . . . (Y k , q k )) for X ^ 
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Yi . . . Yfe, where (qi, . . . , g^) = 6(q, X, k). Define c. : T x Q — >• N by c,(X, q) := 
c{q) . Then for all X T we have 

Pr^[i is accepted by A] = Prj^ ^Jf is good for c.] . 

In view of Proposition |H it suffices to compute the probability 
Pr [fx is good for c], where a branching process A = {r,'—>,Prob) with 
X G r and a colouring function c : F — > N are fixed for the rest of the 
section. We write Pr[ix is good] if c is understood. We distinguish between the 
qualitative problem, i.e., computing whether Pr[ix is good] = 1 holds for a given 
X G r, and the quantitative problem, i.e., the computation of Pr[ix is good]. 

3.1 The Qualitative Problem 

The outline of this subsection is the following: We will show that the qualitative 
problem can be solved in polynomial time (Thcorcm ll2[) . First we show (Proposi- 
tionlHl) that it suffices to compute all clean types, where "clean" is defined below. 
We will show (Lemma ITT]) that a type X is clean if and only if Pi[tx |= AFA] = 1 
holds for suitable set A C r. By Proposition[6]thc latter condition can be checked 
in polynomial time, completing the qualitative problem. 

If there exists a tree (V, £) G and a node u G V with £(u) = Y, then we 

say that Y is reachable from X. Given IgJ 1 and a finite word w = Xq ■ ■ ■ X m G 
r + , we say that w is X -closing if m > 1 and X m — X and cpQ) < c(X) for 
< i < m. A branch with label X Xx • • • G r u is called X-branch X = X 
and there is a sequence = too < m i < m 2 < ■ ■ ■ such that X mi ■ ■ ■ X mi+1 is 
X-closing for all i G N. We say that a type V G Z 1 is odd (resp. even), if c(F) is 
odd (resp. even). Observe that a tree i is good if and only if for all its vertices u 
and all odd types Y the subtree t u does not have a T-branch. A type Y G F 
is dean if T is even or Pr[iy has a T-branch] = 0. The following proposition 
reduces the qualitative problem to the computation of all clean types. 

Proposition 9. We have that Pi[tx is good] — 1 if and only if all Y reachable 
from X are clean. 

Proof. If there is an unclean reachable Y, then Pr[ty is good] < 1 and so 
Pr[£x is good] < 1. Otherwise, for each node v in tx and for each odd Y we 
have that Pr[(tx)v has a T-branch] = 0. Since the set of nodes in a tree is 
countable, it follows that almost surely no subtree of tx has a F-branch for 
odd Y; i.e., tx is almost surely good. □ 

Call a path in a tree X -closing if the corresponding label sequence is X-closing. 
Given X G T, we define 

Nx '■= {Y G r | no tree in [<4]y has an X-closing path} . 

Note that c(Y) > c(X) implies Y G Nx and that Nx is computable in poly- 
nomial time. A word X Xi • • • G (T* U T w ) is called X -failing if no prefix is 
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A-closing and there is i > with Xj <E Nx- A branch in a tree is called X- 
failing if the corresponding branch label is X-failing. Given Igf and a tree t, 
let Closx(i) (resp. Fa\\x{t)) denote the set of those nodes w in t such that the 
path to w is X-closing (resp. X-failing) and no proper prefix of this path is 
A"-closing (resp. X-failing). We will need the following lemma. 

Lemma 10. Define the events C := {tx | tx |= AF (QSosxitx) U Failx (tx))} 
and I := {t x \ C\os x (t x ) is infinite}. Then C C\ I = $ and Pr[G U I] = 1. 

The following lemma states in particular that an odd type X is clean if and only 
if Pr[tx |= AFiVx] = 1. We prove something slightly stronger: 

Lemma 11. Define the events F := {tx | tx \= AFiVx} and H := {tx | 
t x has an X -branch}. Then F n H = and Pr[F U H] = 1. 

Now we have: 

Theorem 12. One can decide in polynomial time whether Pr[tx is good] = 1. 

Proof. By Proposition [5] it suffices to show that cleanness can be determined 
in polynomial time. By Lemma [11] an odd type X is clean if and only if 
Pr[tx |= AFJVx] = 1. The latter condition is decidable in polynomial time by 
Proposition [6] □ 

Example 13. Consider the branching process with r = {1, 2, 3, 4} and the rules 

1/3 2/3 1/2 1/2 2/3 1/3 1 

1 + 11, 1 > 4, 2 > 13, 2 + 23, 3 ■> 33, 3 > 1, 4 <^-» 4, and the 
colouring function c with c(z) = i for i e {1, 2, 3, 4}. Using a simple reachability 
analysis one can compute the sets Ni = {2,3,4}, N 2 = {1,3,4}, iV 3 = {1,4}, 
iV 4 = 0. Applying Proposition [B] we find Pr[i 3 |= AFiV 3 ] < 1 = Pr[ti |= AFJVi]. 
It follows by Lemma [TT] that the only unclean type is 3. Since type 3 is only 
reachable from 2 and from 3, Proposition[S]implies that Pr[tx is good] = 1 holds 
if and only if X G {1,4}. 



3.2 The Quantitative Problem 

Define G := {X E T \ all Y reachable from X are clean}. The following Propo- 
sition [TH states that Pr[tx is good] = Pr[£x h= AFG]. This implies, by Proposi- 
tion that the probability is PPS-expressible (see Theorem 1 15[) . 

Proposition 14. We have Pr[tx is good] = Pr[tx |= AFG]. 

This implies the following theorem. 

Theorem 15. For any X £ r we have that Pr[tx is good] is PPS-expressible. 

Proof. By Proposition [T4l we have Pr[tx is good] = Pr[<x |= AFG]. So we can 
apply Proposition [B] with A := G. Note that G can be computed in polynomial 
time, as argued in the proof of Theorem H"2"l □ 
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Example 16. We continue Example 1131 where we have effectively computed 
G = {1,4}, and thus established that Pr[ii is good] = Pr[^4 is good] = 1. By 
Proposition [14] the probabilities Pr[^ is good] and Vr[t^ is good] are given by 
Pr[^2 |= AFG] and Pr[i3 |= AFG]. Proposition [6] assures that these probabilities 
are PPS-expressible; in fact they are given by the least nonnegative solution of 
the equation system [xa = 3X3 + 5X2X3, X3 = |x| + g], which is x% = | and 
X3 = \. Hence, we have Pr[i 2 is good] = \ and Pr[i 3 is good] = \. 

A Lower Bound. We close the section with a hardness result in terms of the 
PosSLP problem, which asks whether a given straight-line program or, equiv- 
alently, arithmetic circuit with operations +, — , •, and inputs and 1, and a 
designated output gate, outputs a positive integer or not. PosSLP is in PSPACE, 
but known to be in NP. The PosSLP problem is a fundamental problem for nu- 
merical computation, see [T] for more details. 

For given T with D e T, consider the DPTA Ahu = ({q,r},r,a,S,c) with 
c(q) = 1 and c(r) = 2; 5(q,X,l) = (q) and S(q,X,2) = (q,q) for X G T \ 
{D}- 5(q,D,l) = (r) and 5(q,D,2) = (r,r); 5(r,X,l) = (r) and 6(r,X,2) = 
(r, r) for X e r. Automaton Aha specifies that all branches satisfy the LTL 
property FD, i.e., all branches eventually hit D. Let QUANT- HIT denote the 
problem to decide whether Pr^[t is accepted by Aha] > V holds for a given 
branching process A = (r, Prob) with IgI 1 and a given rational p 6 (0, 1). 
By Theorem and Proposition QUANT-HIT is in PSPACE. We have the 
following proposition: 

Proposition 17 (see Theorem 5.3 of |9]). QUANT-HIT is PosSLP-hard. 
4 Logic Specifications 

In this section, we propose a logic akin to PCTL, called probabilistic tree tempo- 
ral logic, to specify the properties of random trees generated from a branching 
process. We also present model-checking algorithms for this logic. 

Definition 18 (PTTL). Probabilistic Tree Temporal Logic (PTTL) formulae 
over a set S of atomic propositions are defined by the following grammar: 

(j), (p' ::= T I a | | <f> A <j>' \ 

if) ::= AX0 I EX0 | 0AU0' | 0EU0' | 0AR0' | 0ER0' , 

where a e X, ex 6 {<, <, >, >}, and r G Q n [0, 1]. If r € {0, 1} ZioZds /or a// 
subformulae of a PTTL formula (j), we say that <f> is in the qualitative fragment 
of PTTL. We use standard abbreviations such as _L for -iT, AF0 for TAU</>, 
EG(f> for ±ER(/>, etc. 

For the PTTL semantics we need the notion of a labelled branching process, 
which is a branching process A — (T, Prob) extended by a function \ : P — > 
2 s , where x(X) indicates which atomic propositions the type X satisfies. 
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Definition 19 (Semantics of PTTL). Given a labelled branching process A = 
(r, <-)■, Prob, x), we inductively define a satisfaction relation |= as follows, where 
X G r: 

X\=T 

X (= ^ ^>X^cj) 

X |= (j) A 4>' <=S> X \= 4> and X (= 0' 

t |= AX</> <^> /or a/Z branches uqUi ■ ■ ■ of t we have £(u\) |= 4> 

t \= <pA\J(j)' <=> for all branches UqUi ■ ■ ■ of t there exists i € N with 

£(ui) |= <j)' and for all < j < i we have £(uj) \= <p 
t |= cf>AR(f)' for all branches uqUi ■ ■ ■ of t and for all i G N we have 

£(ui) |= 4>' or there exists < j < i with £(uj) |= <f> 

The modalities EX, EU and ER are defined similarly, with "for all branches" 
replaced by "there exists a branch" . 

We now present the model checking algorithm. The algorithm shares its basic 
structure with the well-known algorithm for (P)CTL and finite (probabilistic) 
transition systems. Given a PTTL formula (j>, the algorithm recursively evaluates 
the truth values of the PTTL subformulae ip of for all types. The boolean 
operators can be dealt with as in the CTL algorithm. Hence, it suffices to examine 
formulae of the form [V^r- Observe that we have EXcf) = ^AX^cj) and 0ER0' = 
-.(^AlH</>') and </>EU</>' = -.(^AR^') and 

X \= [-^4>]wr if and only if X \= [<f>]&n- r , 

where cx] G {>,>,<,<} is the complement operator of>dG {<,<,>,>}. Hence, 
it suffices to deal with the following three cases: (i) X |= [AX</>] Mr ; (ii) X \= 
[0AU-0],x] r ; (iii) X |= [</>ARV>]xir- We assume in the following case distinction 
that the algorithm has already computed the truth values of the subformulae 
<j>,i/)- One could now construct a suitable DPTA for each of the cases (i)-(iii), 
and proceed according to the machinery of Section [3] Instead we present in the 
following a more direct and more efficient algorithm which takes advantage of 
the special shape of the linear-time operators X, U and R. 

Case (i): We have Pr[ix |= AXtfi] = p, which is easy to compute. So 

X^Yx...Y k 

one can decide in polynomial time whether X \= [AX0]xir- 

Case (ii): We reduce the check of the cj>A\Jtp modality to a check of AF. To 
this end, we define a branching process A' = (r x {0,i,l},-V, Prob') which 
tracks the "status" of <f>A\Jip. We define A' in terms of an auxiliary function 
U,i, ■ r -> {0,|,1} with f^(Y) = if Y \= ^ A UA Y ) = \ if 
Y \= <t> A -rip, and f<p^(Y) = li£Y\=ip. For any rule X 4 Y x . . . Y k in A, 
there are three corresponding rules in A , namely (X, 0) (Yi, 0) . . . (Yk, 0), 
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(X,l) 4 (Y 1 ,l)...(Y k ,l), and (X,±) A (Y 1 J^,(Y 1 ))...(Y k J^,(Y k )). By 

this construction we achieve Pr^ [tx \= 4>ADip] = Pr^, [tx> \= AFA] for X' = 
(X, f l j > , l p{X)) and A := T x {1}. Hence, using Propositions [5] and H] we obtain 
that whether X \= [tpAUtp]^ holds is decidable in PSPACE; and in polynomial 
time for r G {0, 1}. 

Case (Hi): Similarly to case (ii) we reduce the check of 4>ARip to a check of AG. 
This time we define A' = (r x {0, h, 1}, e -V, Prob') in terms of an auxiliary 
function : r -4 {0, |, 1} with g^(Y) = if Y (= -r0, ff^(y) = | if 
F h ^0 A V, 9<pA Y ) = 1 if y N A V>- The rules of zi' are defined 
as in case (ii), except that is replaced with g^,^. By this construction we 
achieve Vx x [t x h 0ARf/>] = Pr^'[t X ' (= AQA] for X' = and A := 

-T x {i, 1}. The following lemma allows to express this probability in terms of 
AF instead of AG: 

Lemma 20. Let A = {T,^,Prob) be a branching process. Let ACT such 
that no type in A is reachable from any type in T \ A. Define G := {Y G 
A | all types reachable from Y are in A}. Let X 6 F. Then Pr[tx \= AG A] = 
Pr[i x hAFG]. 

To summarize case (iii): we have reduced AR to AG and then AG to AF. Hence, 
using Propositions [5] and [5] we obtain that whether X \= [(j>ARtp]^ r holds is 
decidable in PSPACE; and in polynomial time for r G {0, 1}. 

As the overall algorithm computes the truth values of the sub-formulae recur- 
sively, we have proved the following theorem: 

Theorem 21. Model checking branching processes against PTTL is 
in PSPACE. Model checking branching processes against the qualitative 
fragment of PTTL is in P. 

5 Conclusions and Future Work 

Branching processes are a basic formalism for modelling probabilistic parallel 
programs with dynamic process creation. This paper is the first to consider 
the verification of branching processes, We have shown how to model check 
specifications given in terms of deterministic parity automata, a problem that 
unifies and strictly generalises linear-time model-checking problems for Markov 
chains and for (nonprobabilistic) nondeterministic transition systems. We have 
also provided model-checking algorithms for a new logic, PTTL, suitable for 
specifying probabilistic properties of random trees. To obtain these results we 
have provided reductions to computing the probability of hitting "good" states 
along all branches. 

Future research in this area should involve: 

— the complexity of the problem where the specification is an LTL formula 
required to hold on all branches; 

— the problem where deterministic parity automata are replaced by other tree 
specification formalisms, such as CTL (or CTL*) formulae; 
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— extending the model-checking algorithms to accommodate the synchronisa- 
tion and communication features of probabilistic split-join systems. 

It seems that at least the latter two problems require additional techniques, 
as the children of a node in the branching process can no longer be treated 
independently. 

Acknowledgements. We thank anonymous reviewers for their valuable feed- 
back. 
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A Omitted Proofs 



A.l Proof of Lemma 1101 

Lemma 1101 Define the events C :— {tx | tx |= AF(Closx(tx) U Failjsf^x))} 
and I := {t x \ C\os x {t x ) is infinite}. Then Cfl I = and Pr[C U 7] = 1. 

Proof. We first show C D J = 0. Let tel. Consider the set W of those nodes w 
in t such that the path to w is neither X-closing nor X-failing and the same 
holds for all prefixes of this path. Since the parents of all nodes in the infinite 
set Closx(i) are in W, the set W is infinite as well. It follows from Konig's 
lemma that W contains an infinite path, hence a branch in t that does not hit 
C\os x (t) U Fail x (*). Sot g C. Thus C D I = 0. 

It remains to show Pr[C U I] = 1. For the proof we follow a particular 
pattern which we will use several times in this paper: we describe a "procedure 
which unfolds a tree in stages". Such a "procedure" takes a tree tx £ {A}x 
randomly generated by A, and inspects finite prefixes of tx according to the 
procedure's pseudocode. In each step, the procedure accumulates "observations" 
on tx-, e.g., on whether or not a node with certain properties has been visited. 
Denote by Oi(tx) the sequence of observations the procedure makes on tx in the 
first i steps. For each observation sequence o, denote by E(o, i) the event that the 
procedure observes o in the first i steps, i.e., E(o, i) = {t £ fAJx I 0<(*x) = °}- 
Any such event E(o,i) is measurable, as the procedure looks only at finite prefixes 
of tx ■ It follows that events such as "the procedure does not terminate" and "the 
procedure visits at least n nodes in Closx(tx)" are measurable as well. We follow 
this pattern in the rest of this proof and give some more details at the end. The 
other "procedural" proofs in this paper can be treated analogously. 

Let r denote the root of t := tx- Consider the following procedure which 
unfolds t in stages: 

1. Initialise a set S with S := {r}. 

and remove from S a node u and unfold \r\ levels of t u . Let L denote 
the set of the new "leaves" , i.e., those descendants of u that have distance \T\ 
from u. 

3. Remove from L those nodes w that have a (proper or improper) ancestor v 
with v £ Closx(t) U Fa\\x(t). Add the remaining nodes in L to S. 

4. If S is empty, then report "t £ C" and terminate. Otherwise goto 2. 

If the procedure terminates, it correctly reports H £ C" . If it does not terminate, 
then almost surely t £ I, because there is p > such that in each execution of 
step 2. the probability of reaching at least one new node in Closx(t) is at least p. 
In other words, the probability of nontermination equals the probability of /. 
Hence Pr[C U 7] = 1. 

3 To resolve the "nondeterminism" , we can pick, e.g., the lexicographically smallest 
node. 
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Let us give some more details on why the probability of nontermination in fact 
equals the probability of J. As Cf] I = 0, the event I implies nontermination. So 
it suffices to argue that Pr[NonOF] = 0, where Non denotes nontermination and 
F := {tx | C\osx(tx) is finite}. Consider the event Ei, n that after i iterations 
the procedure has not yet terminated and the number of visited Closx(ix)-nodes 
is less than n. As Non n F = U ra eN fliew -^.m ^ suffices to argue that for each 
neff we have lim^oo Pr[£ , i j „] = 0. Fix an arbitrary n G N. In each iteration, 
there is a positive probability that the procedure terminates or hits at least one 
new node in C\osx(tx)- This probability is bounded below by some p > 0: take 
p as the minimal probability over all types Y G r \ Nx such that a tree rooted 
at Y has an X-closing path of length \r\. Hence, in n procedure iterations the 
probability of termination or hitting at least n new nodes in C\osx(tx) is at 
least q := p n > 0. It follows that Pr[Ei +rlyn } < (1 — q)Pi[E^ n ]. Hence we have 
lim^oo Pr[£^j j71 ] = 0, as desired. □ 

A. 2 Proof of Lemma ITT1 

We show the following lemma from the main body of the paper: 

Lemma llll Define the events F := {tx | tx \= AFiVx} and H := {tx 
t x has an X -branch}. Then F n H = and Pr[F U H] = 1. 

Proof. The equality FC\H = is obvious, so it suffices to show that Pr[FU7J] = 
1. Let r denote the root of t := tx- Consider the following procedure which 
unfolds t in stages: 

1. Initialise a set S with S := {r}. 

2. Pick and remove from S a node u and unfold t u until all "leaves" of t u are 
in Closjf(tu) U Failx(iu)- (Note that this step may not terminate.) 

3. Add to S all those "leaves" of t u that are in C\osx{t u )- 

4. If S is empty, then report "t e F" and terminate. Otherwise goto 2. 

If the procedure terminates, it correctly reports "t € F" . Using the event I from 
Lemma [TU] we distinguish between two cases: 

(a) Pr[7] = 0: Lemma [TD1 implies that step 2. of the above procedure terminates 
almost surely in every iteration. If the overall procedure does not terminate, 
consider the set M of those nodes that are in S at some point during the 
execution of the procedure. This set M is infinite. Then it follows from 
Konig's lemma that t has a branch with infinitely many nodes in M. In this 
branch, any two distinct nodes in M define an X-closing path. Hence, the 
branch is an X-branch, so t G H . 

(b) Pr[7] > 0: Let a := Pr[7] > and choose k G N such that k ■ a > 1. Consider 
the {X, k)-skeleton of the branching process, i.e., the branching process with 
a single type X and rules 



X ^ X---X 



for i G {0,1,..., fc} 



i times 
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where, for i < k — 1, the probability pi is the probability that a random 
tree tx satisfies |Closx(*x)| = * and pt is the probability that \C\osx(tx)\ > 
k. We claim that the tree generated by the (X, fc)-skeleton is infinite with 
positive probability. We argue by comparing with a "smaller" branching 
process: It is a fact in the theory of branching processes that k ■ a > 1 
implies that the tree generated by the branching process with the rules 

X 4 X_-JC and X ^-4 e 

k times 

is infinite with positive probability. Hence the same holds for the (X, k)- 
skeleton. 

Now assume the procedure above does not terminate, then, almost surely, in 
one of the executions of step 2. the set C\osx(t u ) is infinite (implying that 
step 2. does not terminate). Let C\osx(t u ) = {vi, V2, ■ ■ • }• Each of the v\ can 
be regarded as the root of a tree generated by the (X, fc)-skeleton: regard 
the elements of C\osx(t Vi ) = {wn,Wi2, ■ ■ ■} (or the first k according to an 
arbitrary order, if there are more than k) as direct children of Vi, and the 
elements of Closjf {t Wi ) as direct children of Wij etc. In this view, it follows 
from the previous discussion that, for all i, the tree t Vi is infinite with positive 
probability, where by t Vi we mean the tree obtained from t Vi by contracting 
as described above. As a result, there is almost surely an i such that t Vi is 
infinite. Since the (X, /c)-skeleton is finitely branching, it follows that t Vf has 
an infinite branch. By the definition of Closx this branch corresponds to an 
X-branch in t Vi . As the path from the root of t to Vi is X-closing, it follows 
te H. 

We conclude that the probability of nontermination equals the probability of H . 
Hence Fi[F U H] = 1. □ 



A. 3 Proof of Proposition H4l 

We prove the following proposition from the main body of the paper: 

Proposition 1141 We have Pr[tx is good] = Pr[tx (= AFG}. 

Proof. Define the events A := {tx | tx \= AFG} and B :— {tx | tx is not good}. 
We need to show that Pr[A] + Pt[B] = 1. First we show that Pt[A n B] = 0. 
Assume tx £ A, so all branches in tx go through a node after which all reachable 
types are clean. Since the set of nodes in a tree is countable, it follows that almost 
surely no subtree of tx has a Y-branch for odd Y; i.e., tx is almost surely good. 
Hence Pr[A n B] = 0. 

Now it suffices to show that Pr[AuB] = 1. Let r denote the root of t := tx- 
Consider the following procedure which unfolds t in stages: 

1. Initialise a set S with S := {r}. 
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2. (a) If S contains a node u of unclean type, say, Y, then remove u from S. 

Unfold t u until all "leaves" of t u have AV-type. (Note that this step may 
not terminate.) 

(b) Otherwise pick and remove from S a node u of clean type. Unfold t u 
until either all "leaves" of t u have a G-type or at least one "leaf" of t u 
has an unclean type. 

3. Add all "leaves" of t u to S except those that have G-type. 

4. If S is empty, then report "t S A" and terminate. Otherwise goto 2. 

If the procedure terminates, it correctly reports u t E A". If an execution of 
step 2. (a) does not terminate, then, by Lemma I 111 the tree t u almost surely 
has a Y"-branch, implying that t G B. In each execution, step 2. (b) terminates 
almost surely, as there is p > such that any node with non-G-type reaches an 
unclean type with probability at least p. The outer loop ("otherwise goto 2.") is 
almost surely executed only finitely often: this is because whenever step 2. (a) 
is executed, there is a positive probability of nontermination in step 2. (a); and 
whenever step 2. (b) is executed, there is a positive probability that this is the 
last execution of step 2. (b), as there is a positive probability of reaching a "leaf" 
of unclean type, which, again with positive probability, results in nontermination 
during the following execution of step 2. (a). 

We conclude that the probability that the above procedure does not termi- 
nate equals the probability of B. Hence Pr[A U B] = 1. □ 

A. 4 Proof of Proposition [T7] 

We prove the following proposition from the main body of the paper: 
Proposition H3 QUANT-HIT is PosSLP-hard. 

Proof. The proof is immediate from Theorem 5.3 of [5], as the "quantitative 
termination" problem studied there for so-called 1-exit-RMCs corresponds ex- 
actly to the .4/jit-specification for branching processes. However, we remark 
that if the automaton A is part of the input, the problem to decide whether 
Pr^ [t is accepted by A] > p holds cannot be translated to an RMC problem, at 
least not in a straightforward way. □ 

A. 5 Proof of Lemma 1201 

Lemma 1201 Let A = (T, Prob) be a branching process. Let A C T such 
that no type in A is reachable from any type in r \ A. Define G := {Y € 
A | all types reachable from Y are in A}. Let X G F. Then Pr[tx \= AGA] = 
Pr[t x |= AFG]. 

Proof. Define the events A := {t x \ t x |= AFG} and B := {t x \ t x ^ AGyl}. 
We need to show that Pr[A] +Pr[S] = 1. First we show that A(~]B = 0. Observe 
that B is the event that t x has a non-yl node, say v. By the assumptions of the 
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lemma, neither an ancestor nor a descendant of v nor v itself can have a G-label. 
So t x k A - Hencc p A A n B] = 0. 

Now it suffices to show that Pr[AUB] = 1. Let r denote the root of t := tx- 
Consider the following procedure which unfolds t in stages: 

1. If X G G, report "tx 6 A" and terminate. Otherwise, initialise a set 5 with 
S:={r}. 

2. Pick and remove from S a node u and unfold \T\ levels of t u . Let L denote 
the set of the new "leaves" , i.e., those descendants of u that have distance |r| 
from u. 

3. If there is a node w in L with £(w) ^ A, then report "i G B" and termi- 
nate. Otherwise, remove from L those nodes w with £(w) G G and add the 
remaining nodes in L to S. 

4. If S is empty, then report H G A" and terminate. Otherwise goto 2. 

Clearly, if the procedure terminates, the reported result is correct. It remains to 
show that the procedure terminates almost surely. Observe that all nodes that 
are in S at some point have a non-G label. So in each execution of step 2. there 
is a nonzero probability of hitting a non-yl node, which forces termination in 
step 3. □ 
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